Becoming More Secure While Working in Cloud: ISO 27017

15 February, 2019

SigmaSoftware

Sigma Software launched a special program based on ISO 27017 principles to ensure security of the work in the Cloud. From now on, all the projects that assume using Cloud must comply with standard security requirements. Such compliance is reached through project self-assessment checklists, regular audits and continuous personnel training.

Becoming compliant with ISO 27017 was only a matter of time for us, since Sigma Software is engaged in very diverse projects, and quite often they involve developing Cloud-based products. Moreover, about one fourth of our assignments - for startups mostly - suppose not only solutions creation, but also infrastructure management on our side. When dealing with such projects, we needed to set certain rules and procedures to ensure meeting the security requirements.

ISO 27017 belongs to ISO 27001 family standards that regulate information security. All family standards are based on the same core principles including correct access management, mature management of fixed assets, well-conceived encryption management, and so on. Whether you are a consumer of Cloud services or a company providing these services, you have to be aware of how to ensure safety of your information.

Evgeniy Bachinskiy, Quality Director at Sigma Software, explains that security guidelines of ISO 27017 Standard are created specifically for Cloud environment and help to rethink the approaches to provide information security:

“When you address Amazon or Azure, you always have to agree on their open offers of providing Cloud services. The same should be done every single time when it comes to providing Cloud services to your customers. In these agreements, you have to clearly define and delineate the areas of responsibility to make sure that you are on the same page with your client. Describe all the details and don`t dismiss things that may seem obvious to you: sometimes misunderstanding or misinterpretation of conditions by a Customer leads to unexpected budget increase or downtimes.

Storing sensitive data encrypted is equally important. There are known cases when unencrypted data was left on a server after the termination of its rent, and then found and used by a third party.”

The first task for us was to identify all the projects that assume working in Cloud or using Cloud services, and then come up with a security checklist for project teams to conduct self-assessment.

“We are now underway with projects audits, Evgeniy says, to reveal all the possible issues and track them until closing. We will continue then with a series of trainings and workshops from information security specialists to prevent security incidents in the future.”

Looking for a technological partner to help you identify and avoid IT security risks?

In-depth understanding of how to ensure information safety in the Cloud brings significant benefits both to our Customers and our employees, thinks Anatoly Kochetov, Delivery Director. “Following the global practices obviously enhances company`s specialists skills, and Clients’ confidence in the services we provide.”

In addition to working with ISO 27017 Standard, we have also elaborated and implemented a special program, based on the well-known in the USA Health Insurance Portability and Accountability Act (HIPAA), which regulates the flow of healthcare information, how it should be maintained and protected from fraud and theft. Violation of the Act provisions leads to significant monetary penalties.

Sigma Software has a strong background working with healthcare projects for global companies that operate on the American market as well. Thus, to start new projects quickly and safely, we have dived deep into HIPAA statements and created a checklist to access if the law requirements are met.